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An instinct for growth. 


Internal Audit progress report 
The purpose of this report is to advise the Audit Committee of our progress in 
planning and delivering the 2014-15 Internal Audit Plan. 


Progress to date 


Since the Committee last met we have completed our integrated assurance review, 
reported as a separate agenda item. We have also met with management to develop 
the scope for our review of corporate and financial planning arrangements; this work 
starts in January 2015. 


We have commenced the Project review (Project Eagle and Finance replacement 
project) and IT support reviews and these are in progress. An update is included in 
this report. 
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Status and progress of reviews 


Agile Lessons Learnt workshop 3 Manage the "free market" of "good ideas" 

We participated in the lessons learnt from the use of Agile development in the ICE — filter to get ideas that have the potential to contribute to long term 
project. Agile is a software development and project management methodology objectives 

based on iterative and incremental development, where requirements and solutions — ideas should be reviewed regularly 

evolve through collaboration between self-organising, cross-functional teams. — encourage users to share ideas and provide feedback to users on decisions 
Agile delivers many more (typically smaller) changes in short periods of time, made 


rather than the traditional specification, development and major release process. 


4 Manage suppliers and resources 


The lessons learnt workshop was an opportunity to establish how to manage future — divide capability between maintenance & support, on-going projects and 
changes in the most effective manner. discretionary work 
Conclusions from workshop 5 IT Steering Group should: 
1 A clear set of definitions needs to be published within the ICO as to why — review on-going activity 
projects are being carried out, not least to assist in prioritisation of changes. — confirm existing allocation of resources to on-going projects 


Such definitions might include: — confirm accuracy of resource estimate 


— to achieve long term objectives, such as the public making use of web site 


ae — establish whether there is spare capacity to do more 
for registration 


— determine the next period's prioritised activities. 
— to ensure ICO projects deliver the needs of customers and stakeholders 


— reduce the time and cost of delivering changes 


2 Establish a set of criteria to assess projects. Examples could be: 
— contribution to ICO business 
— meets long term objectives 
— resolves customers' issue 
— maintains service level 
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Project review 

Finance replacement 

Microsoft Great Plains has been selected to replace Sun Accounts. The project is 
now focusing on detailed requirements specification. The supplier of software and 
consultancy services will be m-hance and services will be delivered through the 
Northgate contract. Review will focus on the selection process, project planning 
and governance, and establish that implementation is achievable with risks actively 
managed. The fieldwork will be completed in December. 


Project Eagle 

Lessons learnt sessions have been scheduled for 8 December, with Department 
Managers attending one session and the Project Board the second session. An 
update will be produced after the session. Feedback has already been collated from 
the teams and managers, and will form an input to these sessions. 
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IT support 

IT Steering Group 

Internal Audit attended the November 2014 meeting to observe the meeting and 
also consider Agile lessons learnt. We have a number of points to feed back to the 
IT Steering Group, which will happen during the next Steering Group meeting in 
eatly 2015, or earlier if agreed with management. 


Web site development 

The web-site development is largely completed. An initial meeting has been held 
with project manager and a further meeting is to be scheduled in December, to 
identify lessons learnt. We understand that during the development of the web 
site, a significant area of functionality had not been specified or costed, so the 
lessons to be learnt from this will form an area of focus of our review. 


Reliance on single supplier / IT infrastructure re-procurement 

We have met with the Deputy Commissioner, Operations and Head of IT to 
discuss these two telated areas. We concluded that a fundamental review is 
required to establish what options are available to the ICO to balance the 
requirements of keeping costs to an acceptable level but also to ensure that 
suppliers provide a service that the ICO requires. Currently, the [CO's experience 
of service delivery from Northgate and related suppliers is mixed. We are currently 
discussing with management how this might be achieved. 


The schedule overleaf provides an update against the 2014-15 Plan. 
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Integrated assurance 


Corporate and financial 
planning 


Project Eagle: lessons 
learnt 


IT support 


We have agreed that we will carry out a review to identify the different levels of management 
assurance in place (i.e. the second line of defence) and where they report within the ICO's 
framework. This will include the Information Rights Committee and supporting groups, as well as the 
IT Steering Group and the Finance Steering Group. 


Our review would look at how the 2014-17 ICO Plan was arrived at, including an assessment of the 
delivery to date of the 2013-17 Plan. 


The review will also examine how the business planning process is aligned to the financial planning 
arrangements, including how the newly formed Finance Steering Group fits within the process and 
how this is used to drive out the preparation, monitoring and governance of the budget. 


We will facilitate a workshop with key stakeholders from the Project, to draw out what went well and 
what could have been improved upon. 


In delivering Project Eagle, management applied key aspects of 'agile' project management 
processes. As part of the lessons learnt exercise we will explore with management how it can 
capture the methods applied more formally in a manner that can be deployed elsewhere. 
Management has also identified that a benefits realisation review of Project Eagle would be 
worthwhile, however this would be likely to fall into the 2015-16 plan. We will therefore initially 
consider how expected benefits have been initially identified. 


The ICO is currently establishing an IT Steering Group. GT has been asked to provide support and 
independent feedback and advice to the group, on its remit, structure and operation as a 
governance framework for IT. GT would attend early meetings of the Group as observer and 
provide feedback as required. 


Later in the 2014 the ICO will be re-procuring certain infrastructure services. Input is sought from 
GT in the considerations around requirements and delivery solutions, including cloud-based 
providers, and in considering both identification of risks and assurance over them. 


IT is considering the risks and issues around contingency planning in respect of the main IT 
provider. If the main supplier fails to deliver, and what options might be considered in response. 


The Web Development Team (which sits in Corporate Affairs), is currently implementing a new 
content management system (Umbraco). There is some Cabinet Office scrutiny of the project, and 
management would value a short assurance view towards the end of the project to provide input to 
the go-live decision period. 
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September 
2014 


January 
2015 


October 
2014 


September 
2014 
onwards 


November 
2014 


November 
2014 


To be 
agreed 


2.25 


2.25 


Final report issued. 


Planning brief issued. 
Fieldwork to commence in 
January 2015. 


Workshop session booked for 
2 December 2014. 


November IT Steering Group 
observed. 


Scope and budget under 
review. 


Initial meeting held and a 
lessons learnt session to be 
scheduled. 
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Finance system project The ICO is starting a project to replace its finance system. Our involvement would be to provide Meetings to be scheduled with 
assurance assurance over the project management and governance arrangements established and operating to © September 3 finance in December. 
deliver the project. On-going project assurance would follow at key stages of the project 2014 

onwards 

Follow Up Review of the arrangements to capture and implement audit recommendations in a timely manner. March 3 To be scoped in early 2015 
2015 

Planning, continued liaison, attendance at Audit Committee, annual reporting 7 

TOTAL 39.5 
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